在单个Web应用程序路径上进行spring-boot设置基本身份验证? [英] spring-boot setup basic auth on a single web app path?

问题描述

我正在尝试在基于spring-boot spring MVC的应用程序中将单个路径(/基本)设置为受基本身份验证保护.我将使用自己的自定义配置参数进行配置，因此用户名和密码仅为"admin"和"admin".

I am trying to setup a single path (/basic) in my spring-boot spring MVC based application to be basic auth protected. I am just going to configure this using my own custom configuration parameters so the username and password are simply "admin" and "admin".

这当前适用于/basic路径(提示我并且可以正确登录).问题在于注销不起作用(我不确定为什么)，还要求其他路径(如所示的/other)获取基本身份验证凭据(在始终被拒绝之前).

This currently works for the /basic path (I am prompted and can login correctly). The problem is that logout does not work (and I am not sure why) and also other paths (like /other shown) are being asked for basic auth credentials (before always being denied).

static class MyApplicationSecurity extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/open").permitAll();
        http.authorizeRequests().antMatchers("/other").denyAll(); // Block it for now
         http.authorizeRequests().antMatchers("/basic").authenticated().and().httpBasic().and().logout().logoutUrl("/basic/logout").invalidateHttpSession(true).logoutSuccessUrl("/");
    }
}

我希望/other总是被拒绝，但是我不明白为什么要进行基本身份验证./open可以正常工作.我也不明白为什么/basic/logout不注销我(它也不会产生错误消息).我确实有一些简单的代码作为注销端点的占位符，但是如果我没有，那么我会得到404."home"视图是我的Web应用程序根目录，因此我只想在注销后将用户发送到那里.

I expected /other to always be denied but I don't get why basic auth is coming up for it. /open works as expected. I also don't understand why /basic/logout does not log me out (it also does not produce error messages). I do have a simple bit of code as a placeholder for the logout endpoint but if I do not have that then I get a 404. The "home" view is my web app root so I just want to send the user there after logout.

@RequestMapping("/logout")
public ModelAndView logout() {
    // should be handled by spring security
    return new ModelAndView("home");
}

更新: 这是最后似乎可行的解决方案(除了注销部分，仍然不起作用):

UPDATE: Here is the solution that seemed to work in the end (except the logout part, still not working):

@Configuration
@Order(1) // HIGHEST
public static class OAuthSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/oauth").authorizeRequests().anyRequest().denyAll();
    }
}

@Configuration
public static class BasicAuthConfigurationAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/basic").authorizeRequests().anyRequest().authenticated().and().httpBasic();
        http.logout().permitAll().logoutUrl("/logout").logoutSuccessUrl("/").invalidateHttpSession(true);
        //.and().logout().logoutUrl("/basic/logout").invalidateHttpSession(true).logoutSuccessUrl("/");
    }
}

推荐答案

我不确定是否要注销，但是我们有一些类似的问题，那就是我们的某些网站处于基本状态，而有些则没有.我们的解决方案是仅对需要http basic的路径使用第二个嵌套配置类.我们为该配置指定了@Order(1)..但我不确定是否有必要.

i'm not sure about the logout, but we had a similar problem with having some of our site under basic and some of it not. Our solution was to use a second nested configuration class only for the paths that needed http basic. We gave this config an @Order(1)..but i'm not sure if that was necessary or not.

已更新代码

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityConfig.class);

    @Autowired
    public void registerAuthentication(AuthenticationManagerBuilder auth, Config appConfig) throws Exception {
        auth.inMemoryAuthentication()
            .withUser(appConfig.getString(APIConfig.CONFIG_KEY_MANAGEMENT_USER_NAME))
            .password(appConfig.getString(APIConfig.CONFIG_KEY_MANAGEMENT_USER_PASS))
            .roles(HyperAPIRoles.DEFAULT, HyperAPIRoles.ADMIN);        
    }



    /**
     * Following Multiple HttpSecurity approach:
     * http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity 
     */
    @Configuration
    @Order(1)
    public static class ManagerEndpointsSecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
            .antMatcher("/management/**").authorizeRequests().anyRequest().hasRole(HyperAPIRoles.ADMIN).and()
            .httpBasic();
        }
    }

    /**
     * Following Multiple HttpSecurity approach:
     * http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#multiple-httpsecurity 
     */
    @Configuration
    public static class ResourceEndpointsSecurityConfig extends WebSecurityConfigurerAdapter {        



       @Override
       protected void configure(HttpSecurity http) throws Exception {                  

            http
            //fyi: This adds it to the spring security proxy filter chain
            .addFilterBefore(createBBAuthenticationFilter(), BasicAuthenticationFilter.class)
            ;      
       }
    }
}

这似乎可以通过基本身份验证将执行器端点保护在/management上，而其他端点则使用自定义身份验证令牌头.我们什么都不会提示凭据(没有发出挑战).我们必须注册一些其他内容(如果需要的话).

this seems to secure the actuator endpoints at /management with basic auth while the others work with a custom auth token header. We do not prompt for credentials (no challenge issued) though for anything..we'd have to register some other stuff to get that going (if we wanted it).

希望这会有所帮助

这篇关于在单个Web应用程序路径上进行spring-boot设置基本身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！